Air Traffic Control System

Rationale: The primary purpose of ATC is separation assurance. ICAO Doc 4444 defines the applicable separation minima (5 NM en-route, 3 NM terminal). Controllers need a system that presents accurate traffic information and provides tools to ensure these minima are never breached. Failure to maintain separation is the most severe safety outcome in ATC operations.

Rationale: Air Navigation Service Providers (ANSPs) are mandated by ICAO Annex 11 to provide continuous ATC service in designated airspace. Any service interruption requires emergency procedures, airspace closure, or traffic flow restrictions that create cascading delays and safety risk. The system must be architected for zero unplanned downtime.

Rationale: European regulators require ATM systems to meet ESARR 4 safety targets. The 1.55x10^-8 figure is the EUROCONTROL Target Level of Safety for the most severe failure condition (accident with no effective recovery). This drives the entire system architecture toward redundancy, diversity, and rigorous verification. National CAA certification requires evidence of compliance.

Rationale: Controller workload is a primary constraint on sector capacity and a contributor to operational errors. European ATM performance targets require sector throughput of 40+ aircraft. The system must support this through clear displays, appropriate automation, and efficient interaction design. Excessive clutter, latent alerts, or poor HMI design directly increases error probability.

Rationale: Airlines and passengers expect seamless en-route transitions. Manual telephone coordination between centres is slow, error-prone, and limits sector capacity. OLDI automation enables predictive coordination (ABI, ACT, MAC messages), reducing controller workload during handoffs and preventing coordination errors that have historically contributed to mid-air collision risk at sector boundaries.

Rationale: Air Navigation Service Provider (NATS): ANSP throughput targets are agreed with the CAA and airport operators; failure to support 60 movements/hr per sector limits FIR capacity and forces flow restrictions impacting airlines.

Rationale: UK CAA (Civil Aviation Authority): regulator has statutory rights to access ATC recordings under Air Navigation Order 2016; non-compliance risks operational licence suspension. 2h access SLA is the CAA's stated investigation enablement requirement.

Rationale: Maintenance engineering team: LRU replacement downtime drives service credit penalties with the ANSP; 30-minute MTTR is the contractual target for field maintenance. Non-interrupting LRU swap is required because the ATCS runs 24/7 with no maintenance windows.

Rationale: Adjacent ATC centre operators and EUROCONTROL CFMU: ASTERIX Cat 062 is the mandated track data exchange format (EUROCONTROL ASTERIX specification); 500ms latency is required for CFMU to compute accurate flow control predictions.

Rationale: ICAO Doc 9426 ATC Planning Manual and EUROCONTROL guidelines require ATCS training mode to be physically or logically isolated from live operations. Proficiency validation in a live system poses unacceptable risk; an incorrectly entered instruction during a training exercise could be transmitted to aircraft. Inspection of isolation architecture (separate processing, no live data write-back) plus a demonstration test confirms segregation.

Rationale: Derived from STK-REQ-009: adjacent ATC centres and CFMU flow management require ASTERIX Cat 062 data within the 500ms CFMU SLA to generate accurate flow control predictions. Message loss would create track data gaps in downstream systems that rely on the track feed for automated coordination, creating coordination hazards at sector boundaries.

Rationale: Separation minima of 5 NM en-route and 3 NM terminal require track accuracy significantly better than the separation standard to allow controllers to detect converging tracks with adequate warning. 250m en-route corresponds to approximately 2.7% of 5 NM separation, providing sufficient margin for controller assessment. Terminal 50m accuracy is driven by parallel runway approach monitoring where aircraft may be separated by only 1000ft laterally.

Rationale: Track update rate determines controller ability to detect developing conflicts. 4-second en-route rate matches the rotation period of long-range SSR and provides adequate track refresh for traffic at Mach 0.80-0.85. Terminal 1-second rate is required for approach monitoring where aircraft closure rates on final approach are high and controller reaction time is limited.

Rationale: ANSP continuity obligation requires effectively zero unplanned outage. 99.9997% (five-and-a-half nines) corresponds to 1.6 min/year, which allows for one brief automatic failover event. This drives dual-redundant hot-standby architecture with sub-5-second switchover. Each additional nine of availability roughly doubles the system cost, and 99.9997% represents the engineering optimum for ATC where the cost of an outage (airspace closure, diversion costs, safety risk) vastly exceeds redundancy investment.

Rationale: 120 seconds provides adequate time for controller assessment, pilot communication, and execution of a resolution manoeuvre. At closing speeds of 1000 kt (head-on en-route), 120 seconds corresponds to approximately 33 NM from the conflict point. The 10^-5 missed detection rate is derived from ESARR 4 safety target apportionment: the safety net is the last barrier before a mid-air collision, and its reliability must ensure the overall accident rate stays below 1.55x10^-8.

Rationale: Sector capacity of 40 aircraft per sector, across a centre with up to 25 sectors plus overflights and adjacent traffic, requires a system-wide capacity of 2500+ tracks. Flight plan count is higher because plans are filed hours before activation. The system must maintain full performance at peak loading — capacity-related performance degradation would force sector capacity restrictions during periods of highest demand.

Rationale: ATC systems are designated Critical National Infrastructure in all ICAO Contracting States. Network isolation is a mandatory cyber security control per ICAO Doc 10110 (Cyber Security Manual for Civil Aviation) and EUROCONTROL's EATM-CERT guidance. Unidirectional data diodes for external feeds eliminate the attack surface from airline networks and internet-connected met services without disrupting data ingestion — a hardware-enforced boundary cannot be compromised by software vulnerabilities.

Rationale: Power failure is identified as a Common Mode Failure that could disable all ATC services simultaneously. ICAO Annex 10 and EUROCONTROL ESARR 2 require continuous power supply for ATC facilities. 72-hour endurance is derived from the maximum credible grid outage scenario (major storm or regional grid fault) that must not force airspace closure. 500ms switchover prevents UPS battery exhaustion during mains interruption.

Rationale: Medium-Term Conflict Detection (MTCD) is required by EUROCONTROL ATM Master Plan Phase 2 to support high-density operations; 20-minute horizon gives controllers adequate time to negotiate reroutings before separation minima are threatened.

Rationale: Minimum service level following single subsystem failure is the safety case baseline for system availability architecture; 15-minute recovery is the NATS Target Level of Safety (TLS) for ATC system failure modes, derived from separation assurance temporal buffers.

Rationale: CFMU interface is a mandatory EUROCONTROL Network Manager requirement for all IFR flights; failure to maintain the B2B interface results in CFMU flow restrictions affecting all aircraft transiting the FIR.

Rationale: UK CAA CAP 670 and ICAO Annex 11 Section 6.4 mandate ATC recording for incident investigation; 30-day retention and 2h retrieval are the CAA's specified investigation enablement requirements. Tamper-evidence is required for legal admissibility.

Rationale: STK-REQ-008 requires LRU replacement without service interruption and 30-minute restoration. SYS-REQ-009 covers degraded mode continuity but does not address the maintenance procedure protocol or restoration time bound. The 30-minute target is derived from ICAO Doc 7030 ATC service continuity expectations.

Rationale: Derived from REQ-SEAIRTRAFFICCONTROL-082 (training mode isolation). The isolation boundary must be at the system architecture level to prevent accidental live system writes. The training subsystem replay capability is necessary for regulatory proficiency requirements under CAA ATC licensing standards.